net.ipv4.tcp_synack_retries = 3
net.ipv4.conf.default.arp_filter = 1
-net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.arp_filter = 1
-net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
+# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6.
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
# Enable netfilter accounting
net.netfilter.nf_conntrack_acct = 1
fs.protected_fifos = 2
fs.protected_regular = 2
-# Minimal preemption granularity for CPU-bound tasks:
-# (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds)
-kernel.sched_min_granularity_ns = 10000000
-
# If a workload mostly uses anonymous memory and it hits this limit, the entire
# working set is buffered for I/O, and any more write buffering would require
# swapping, so it's time to throttle writes until I/O can catch up. Workloads
# and move them to swap cache
vm.swappiness = 1
-# The total time the scheduler will consider a migrated process
-# "cache hot" and thus less likely to be re-migrated
-# (system default is 500000, i.e. 0.5 ms)
-kernel.sched_migration_cost_ns = 5000000
-
# Increase kernel buffer size maximums
net.ipv4.tcp_mem = 16777216 16777216 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
# Include PID in file names of generated core dumps
kernel.core_uses_pid = 1
+
+# Block non-uid-0 profiling
+kernel.perf_event_paranoid = 3
+
+# Only processes with CAP_SYS_PTRACE may use ptrace
+kernel.yama.ptrace_scope = 2